Use Case: Physical Security

August 30, 2023 · View on GitHub

Use Case: Physical Security

Vendor: AMAG

Product	Event Types	MITRE ATT&CK® TTP	Content
Symmetry Access Control	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: AccessIT

Product	Event Types	MITRE ATT&CK® TTP	Content
Universal.NET	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Avaya

Product	Event Types	MITRE ATT&CK® TTP	Content
Avaya VPN	failed-vpn-login vpn-login	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Badge

Product	Event Types	MITRE ATT&CK® TTP	Content
Badge	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Badgepoint

Product	Event Types	MITRE ATT&CK® TTP	Content
Badgepoint	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Barracuda

Product	Event Types	MITRE ATT&CK® TTP	Content
Barracuda Firewall	failed-vpn-login network-connection-failed network-connection-successful remote-logon vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Brivo

Product	Event Types	MITRE ATT&CK® TTP	Content
Brivo	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: CatoNetworks

Product	Event Types	MITRE ATT&CK® TTP	Content
Cato Cloud	network-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Check Point

Product	Event Types	MITRE ATT&CK® TTP	Content
Identity Awareness	failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
NGFW	app-login authentication-failed authentication-successful dlp-email-alert-in dlp-email-alert-out failed-vpn-login local-logon network-alert network-connection-failed network-connection-successful vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models
Security Gateway	failed-vpn-login vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
Security Gateway Virtual Edition (vSEC)	authentication-failed authentication-successful vpn-login	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Cisco

Product	Event Types	MITRE ATT&CK® TTP	Content
Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models
AnyConnect	process-network vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
Duo Access Security	account-creation account-deleted account-lockout account-password-reset app-activity app-login authentication-failed authentication-successful failed-app-login failed-vpn-login vpn-login	T1133 - External Remote Services	1 Rules 1 Models
Firepower	authentication-successful dns-query dns-response failed-vpn-login file-download nac-logon netflow-connection network-alert network-connection-failed network-connection-successful process-created security-alert vpn-login vpn-logout web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models
ISE	app-activity authentication-failed authentication-successful computer-logon config-change failed-logon failed-vpn-login nac-failed-logon nac-logon remote-logon vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Citrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Citrix Netscaler	app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Cognitas CrossLink

Product	Event Types	MITRE ATT&CK® TTP	Content
Cognitas CrossLink	vpn-login	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Datawatch Systems

Product	Event Types	MITRE ATT&CK® TTP	Content
DataWatch	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Dell

Product	Event Types	MITRE ATT&CK® TTP	Content
SonicWALL Aventail	vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: F5

Product	Event Types	MITRE ATT&CK® TTP	Content
F5 BIG-IP	account-password-change-failed authentication-failed authentication-successful failed-logon failed-vpn-login network-connection-successful remote-logon vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
F5 BIG-IP Access Policy Manager (APM)	authentication-failed authentication-successful vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Fortinet

Product	Event Types	MITRE ATT&CK® TTP	Content
Fortinet VPN	authentication-successful failed-vpn-login vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Galaxy

Product	Event Types	MITRE ATT&CK® TTP	Content
Galaxy	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Gallagher

Product	Event Types	MITRE ATT&CK® TTP	Content
Access Control	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Generic Badge Access

Product	Event Types	MITRE ATT&CK® TTP	Content
Generic Badge Access	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Genetec

Product	Event Types	MITRE ATT&CK® TTP	Content
Genetec Badge	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Honeywell

Product	Event Types	MITRE ATT&CK® TTP	Content
Honeywell Pro-Watch	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models
Honeywell WIN-PAK	physical-access	T1078 - Valid Accounts	7 Rules 3 Models
honeywell siama	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Huawei

Product	Event Types	MITRE ATT&CK® TTP	Content
Unified Security Gateway	authentication-successful network-alert process-created vpn-login	T1133 - External Remote Services	1 Rules 1 Models

Vendor: IBM

Product	Event Types	MITRE ATT&CK® TTP	Content
Lotus Mobile Connect	authentication-failed authentication-successful failed-vpn-login vpn-login	T1133 - External Remote Services	1 Rules 1 Models

Vendor: ICPAM

Product	Event Types	MITRE ATT&CK® TTP	Content
ICPAM	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Johnson Controls

Product	Event Types	MITRE ATT&CK® TTP	Content
Johnson Controls P2000	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Juniper Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Juniper Networks Pulse Secure	account-deleted app-activity authentication-failed authentication-successful failed-vpn-login network-connection-failed vpn-connection vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
Juniper SRX	authentication-successful failed-vpn-login network-alert network-connection-failed network-connection-successful security-alert vpn-login web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models
Juniper VPN	account-deleted authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout web-activity-allowed	T1133 - External Remote Services	1 Rules 1 Models

Vendor: KABA EXOS

Product	Event Types	MITRE ATT&CK® TTP	Content
KABA EXOS	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Lenel

Product	Event Types	MITRE ATT&CK® TTP	Content
Lenel OnGuard	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models
OnGuard	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Lyrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Lyrix	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Microsoft

Product	Event Types	MITRE ATT&CK® TTP	Content
DirectAccess	failed-vpn-login vpn-login	T1133 - External Remote Services	1 Rules 1 Models
Routing and Remote Access Service	authentication-successful vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon config-change dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed registry-write remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login vpn-logout winsession-disconnect workstation-locked workstation-unlocked	T1133 - External Remote Services	1 Rules 1 Models

Vendor: NCP

Product	Event Types	MITRE ATT&CK® TTP	Content
NCP	authentication-failed vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: NetMotion Wireless

Product	Event Types	MITRE ATT&CK® TTP	Content
NetMotion Wireless	vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Nortel Contivity

Product	Event Types	MITRE ATT&CK® TTP	Content
Nortel Contivity VPN	vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Palo Alto Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
GlobalProtect	app-activity authentication-failed authentication-successful config-change failed-logon failed-vpn-login remote-logon vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models
NGFW	authentication-failed authentication-successful config-change dlp-alert file-alert network-alert network-connection-failed network-connection-successful remote-logon security-alert vpn-login web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Paxton

Product	Event Types	MITRE ATT&CK® TTP	Content
NET2DOOR	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: PicturePerfect

Product	Event Types	MITRE ATT&CK® TTP	Content
PicturePerfect	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Ping Identity

Product	Event Types	MITRE ATT&CK® TTP	Content
PingOne	app-login authentication-successful failed-app-login vpn-login	T1133 - External Remote Services	1 Rules 1 Models

Vendor: RS2

Product	Event Types	MITRE ATT&CK® TTP	Content
RS2	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models
RS2 Technologies	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: RedCloud

Product	Event Types	MITRE ATT&CK® TTP	Content
RedCloud	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: RightCrowd

Product	Event Types	MITRE ATT&CK® TTP	Content
RightCrowd	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: SSL Open VPN

Product	Event Types	MITRE ATT&CK® TTP	Content
SSL Open VPN	app-activity app-activity-failed authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: SecureNet

Product	Event Types	MITRE ATT&CK® TTP	Content
SecureNet	vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models

Vendor: SecurityExpert

Product	Event Types	MITRE ATT&CK® TTP	Content
SecurityExpert	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: Sensormatik

Product	Event Types	MITRE ATT&CK® TTP	Content
Sensormatik	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Siemens

Product	Event Types	MITRE ATT&CK® TTP	Content
Siemens	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Sonicwall

Product	Event Types	MITRE ATT&CK® TTP	Content
Sonicwall	failed-vpn-login network-alert remote-logon vpn-login vpn-logout web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Sophos

Product	Event Types	MITRE ATT&CK® TTP	Content
Sophos XG Firewall	app-login failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1133 - External Remote Services	1 Rules 1 Models

Vendor: Swipes

Product	Event Types	MITRE ATT&CK® TTP	Content
Swipes	physical-access	T1078 - Valid Accounts	7 Rules 3 Models

Vendor: TimeLox

Product	Event Types	MITRE ATT&CK® TTP	Content
TimeLox	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Tyco

Product	Event Types	MITRE ATT&CK® TTP	Content
CCURE Building Management System	app-activity app-login failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Vanderbilt

Product	Event Types	MITRE ATT&CK® TTP	Content
Vanderbilt	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Viscount

Product	Event Types	MITRE ATT&CK® TTP	Content
Viscount	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Visma

Product	Event Types	MITRE ATT&CK® TTP	Content
Megaflex	failed-physical-access physical-access	T1078 - Valid Accounts	9 Rules 4 Models

Vendor: Zscaler

Product	Event Types	MITRE ATT&CK® TTP	Content
Zscaler Private Access	vpn-login vpn-logout	T1133 - External Remote Services	1 Rules 1 Models